I just realized somewhat late that despite all the talk about this, I can't seem to find a list of games with this ability. There's a category for this, but some runs don't exactly seem to be added for whatever reason, and other games don't even use it due to being slower, so I tried:
* Wario Land: Super Mario Land 3
Games without movies of this:
* Addams Family Values (http://tasvideos.org/forum/viewtopic.php?p=457322#457322)
* Donkey Kong Country 2
* Golden Sun 1, 2
* Open Tournament Golf (DPCM exploit)
* Mega Man (Apparently, it's still possible)
* Pokemon Stadium
* Super Mario Brothers 2 (DPCM exploit)
* Super Mario Sunshine
* The Legend of Zelda: Oracle of Ages
Not sure if those wii exploits count as well.
Joined: 3/9/2004
Posts: 4588
Location: In his lab studying psychology to find new ways to torture TASers and forumers
No Battletoads? :(
Warning: Opinions expressed by Nach or others in this post do not necessarily reflect the views, opinions, or position of Nach himself on the matter(s) being discussed therein.
You can add Super Metroid to the list as well.
Edit:
Oh, and NES Open Tournament Golf as well (has a way to get into an ACE state using the NES DPCM glitch).
There are probably a bunch more NES titles that allow this using the same glitch as well, but none that I have confirmed it for.
Maybe in that listing you can differentiate between total control type of ACE, and non-total control.
Super Mario Land 2 would be non-total control since the things you can do in that game ACE-wise are very limited. It barely manages to execute some pre-aligned bytes to jump into ROM to somehow trigger the ending, but it's not like you get to write your own program like you can in Super Mario World or Pokemon Yellow (which I'd deem total control type of ACE games).
I think games that have ACE only using DPCM glitch should be listed separately. ACE is ACE, but DPCM glitch related ACE is so far removed from any semblance of having to follow the game and its programming that it feels unfair to the game.
(Similarly, ACE that requires modifying save data separately, or sending invalid data along a link cable or similar device, should be listed but as a separate category)
AFAIK:
-Every NES game that uses DPCM has a high likelihood of having DPCM glitch ACE
-Only a few games have been confirmed to have it work, among them SMB2 and Open Tournament Golf
AFAIK:
-Every NES game that uses DPCM has a high likelihood of having DPCM glitch ACE
I assume you are talking about controller read workaround, and if so, then no, this isn't the case. There have been a few tested routines so far and it turns out not as many as previously imagined are vulnerable.
MUGG wrote:
Maybe in that listing you can differentiate between total control type of ACE, and non-total control.
wat
If you can't load your own code, it isn't arbitrary. If you are limited in what you can enter (not length, but content), it isn't arbitrary. As I understand it, SML2 doesn't allow execution of arbitrary code / specific opcodes, only some subset.
The old MM1 glitch wasn't ACE even though it jumped to credits. The glitch demonstrated at AGDQ is ACE.
Maybe in that listing you can differentiate between total control type of ACE, and non-total control.
wat
If you can't load your own code, it isn't arbitrary. If you are limited in what you can enter (not length, but content), it isn't arbitrary. As I understand it, SML2 doesn't allow execution of arbitrary code / specific opcodes, only some subset.
The old MM1 glitch wasn't ACE even though it jumped to credits. The glitch demonstrated at AGDQ is ACE.
SML2 uses a glitch that makes the PC jump into RAM and execute some bytes there, and that's where the TAS executes a jump to ROM (and that's why it qualifies as ACE). You can't directly write your own bytes, but you can influence the addresses to some extent to have favorable values. Which is what the TAS did.
I was just thinking this kind of limited ACE is present in other games, not just SML2. I would be interested to know them.
What is the ACE set up for Battletoads? I was only aware of the game end glitch of loading incorrect objects.
And yeah as True says DPCM will not always lead to ACE. Some games don't even use the vulnerable read routine (i.e. Ninja Gaiden) and those that do it is only happenstance of coding that would lead to ACE, it's more likely you'd just get a crash due to the stack corruption.
SML2 uses a glitch that makes the PC jump into RAM and execute some bytes there, and that's where the TAS executes a jump to ROM (and that's why it qualifies as ACE). You can't directly write your own bytes, but you can influence the addresses to some extent to have favorable values. Which is what the TAS did.
If you can't execute whatever code you want, then it doesn't qualify as Arbitrary Code Execution. ACE isn't a more limited form of "total control". ACE is total control. What you're describing sounds like a more limited form of memory corruption.
NES Battletoads is a "limited ACE", the published TAS manipulates specific values to be written in to to available object slots while advancing the config pointer. The thing it makes look like an ACE (or at least the technique to corrupt more heavily) is the structure of the input:
- pressing buttons on P1 to manipulate next object (limited possibilities)
- wait 1 frame
- press ABSTUDLR (0xFF) that lets you make another manipulation
- wait 1 frame, go step 1
You can't (with current knowledge) make a payload and play snake/whatever because of cpu cycle dependency and the big time differences between inputs are crucial (and impossible so far).
PhD in TASing 🎓 speedrun enthusiast ❤🚷🔥 white hat hacker ▓ black box tester ░ censorships and rules...
Joined: 4/17/2010
Posts: 11475
Location: Lake Chargoggagoggmanchauggagoggchaubunagungamaugg
In battletoads the method used is arbitrary data manipulation, not arbitrary code execution. There's some period where battletoads executes open bus, which can theoretically be manipulated to look like it's executing sensible commands, but it's very hard and no one feels like doing it.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
NES Double Moon Densetsu may have an ACE vulnerability, because you can probably overwrite stack area (see "Saving/loading with illegal character id" section).
In NES Aces Iron Eagle 3 (Japanese port of Ultimate Air Combat), I had experienced a sudden freeze. It happened when I was playing air-to-air combat (3-D shooter) in "CRUDE&RUDE" mission using F-14 Tomcat on FCEUX. Unfortunately I did not record a movie, so I don't know the detail of the freeze.
In battletoads the method used is arbitrary data manipulation, not arbitrary code execution. There's some period where battletoads executes open bus, which can theoretically be manipulated to look like it's executing sensible commands, but it's very hard and no one feels like doing it.
Would you mind sharing the details of this feos? It sounds interesting.
Warning: When making decisions, I try to collect as much data as possible before actually deciding. I try to abstract away and see the principles behind real world events and people's opinions. I try to generalize them and turn into something clear and reusable. I hate depending on unpredictable and having to make lottery guesses. Any problem can be solved by systems thinking and acting.
Addams Family Values. I jumped to the controllers. I held down some buttons to call the credits after but I'm sure somebody could think of something more creative to do...
Link to video
I'm still looking for an RTA-viable method so I can get back to running this game. Feel free to solve that for me if you're feeling bored, lol.
Ambassador, Moderator, Site Developer, Player
(155)
Joined: 3/17/2018
Posts: 358
Location: Holland, MI
These gamecube games all have total control save data exploits:
Animal Crossing
BMX XXX
F-Zero GX
James Bond 007: Agent Under Fire
The Legend of Zelda: Twilight Princess
The Legend of Zelda: The Wind Waker
Pokémon Colosseum
Pokémon XD: Gale of Darkness
Super Smash Bros. Melee
Tom Clancy's Ghost Recon 2
Tom Clancy's Splinter Cell
Tom Clancy's Splinter Cell: Pandora Tomorrow
Phantasy Star Online Episode I & II is also vulnerable to ACE via PSOLoad (broadband adapter game update exploit)
NES Adventures of Lolo 3 might also have a DPCM exploit. I was able to cause a CPU stack overflow with subframe inputs (though I haven't investigated whether it leads to credit warp, etc.).
